On Tue, 19 Oct 2010 00:38:41 +0200, Michael Biebl <biebl@debian.org> wrote:
> Bdale went ahead and added the following to /etc/sudoers:
>
> # Allow members of group sudo to not need a password
> # (Note that later entries override this, so you might need to move
> # it further down)
> %sudo ALL=(ALL) ALL
Ah yes -- that's a bug in the comment of course.
The comment says (incorrectly) that people in the sudo group don't need
a password. It would need a NOPASSWD tag for the comment to be correct.
Thankfully, the configuration does the right thing, and requires that
the user know their own password to become root.
> The installer was changed to add the user to group "sudo" if the system is
> installed with root disabled.
>
> For PolicyKit, I can now simply ship a file, say
> /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf which contains:
>
> [Configuration]
> AdminIdentities=unix-group:sudo
I would object to 'sudo' being a group of people that can simply become
root if they happen to be logged in -- is that what the PolicyKit
incantation would allow?
Cheers, Phil.
--
|)| Philip Hands [+44 (0)20 8530 9560] http://www.hands.com/
|-| HANDS.COM Ltd. http://www.uk.debian.org/
|(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND